<disbelief>
lemme get this straight. you can decrypt SSL traffic into a human
readable format?
you can crack a 128-bit certificate? what about a high-grade AES
256-bit pipe?
</disbelief>
________________________________
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe
Sent: Friday, February 08, 2008 4:01 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] will Ajax go away (was JVM version and
ColdFusion)
If secure AMF is just AMF over SSL... its easy enough to modify in
transit.
Darrin, if you or your organization wants a demo of why these things are
insecure, let me know. I'll be more than happy to do some live web
hacking for you. (And yes, Charlie, I haven't forgotten about you and
the meetup...)
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"Dissent is the purest form of patriotism."
--Thomas Jefferson
On Feb 8, 2008, at 3:55 PM, Dean H. Saxe wrote:
*cough* BS.
Flash can be decompiled.
I can watch all of the traffic. Even over SSL.
I can modify AMF (I'd have to look @ secure AMF).
If you'd like to challenge me to hack the app, let me know. I'm
up for it. ;-)
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"If liberty means anything at all, it means the right to tell
people what they do not want to hear."
-- George Orwell, 1945
On Feb 8, 2008, at 11:52 AM, Darin Kohles wrote:
You can always build a Flex (or Flash for that matter)
application
that can be put in you page as a 1px by 1px (I'm not
sure if 0 by 0
will work) that has nothing on the stage with
wmode="transparent".
This application can now act as your portal between the
browser via JS
using the External Interface (or fsCommand going back to
Flash ~6).
Then your "invisible" Flex/Flash app can leverage all
the connection
types available (AMF/SecureAMF, Webservice, HttpService
etc...) in a
manner that is not easily accessible to any hacker (you
can hide all
kinds of security checks within this app).
I've always wanted to do a bench mark of this type of
app side by side
with standard Ajax, but the bottom line is that the only
browser
specific code would be in how the returned data is
applied to effect
the client content.
On Feb 8, 2008 11:20 AM, shawn gorrell
<[EMAIL PROTECTED]> wrote:
Charlie, my main issues with AJAX are dealing
with cross-browser issues, and
security.
AJAX exposes some of the most annoying
cross-browser DHTML sort of things.
Using libraries and frameworks can insulate you
from that to a degree, but
not always completely. I've got a customer doing
things with Google Maps and
we've had some differences between IE and FF
that have been difficult to
solve.
People have gotten so excited about using AJAX
that they have forgotten
basic security principles (things like
validating input). I recently read an
article that discussed the security holes in the
more commonly used
frameworks, so the issue isn't just with roll
your own AJAX, it is more
pervasive.
But, those things said, ultimately I think it is
a step forward in making a
richer browser experience (not as much as Flex
though). There are just some
fleas on the dog that folks should be aware of
in advance.
----- Original Message ----
From: Charlie Arehart <[EMAIL PROTECTED]>
To: discussion@acfug.org
Sent: Friday, February 8, 2008 10:58:47 AM
Subject: [ACFUG Discuss] will Ajax go away (was
JVM version and ColdFusion)
That seems a curious statement, Forrest, and I'm
sure some would enjoy a
bit of discussion on it. For those who weren't
following closely, he had
asked first about some challenges using a
CFX_google custom tag, and in the
replies he was told that it's quite old and
instead Google favors some Ajax
APIs instead. Forrest replies he hoped the "Ajax
thing would just go away".
So, do you realize that Ajax is merely a way to
make browsers smarter? It
enables them to make calls to remote servers.
Sure, we could do that in the
past with Java applets, ActiveX controls, Flash,
and even plain Javascript.
And we could of course do it from the server
using either REST or SOAP apis.
Ajax is just a simplified API to enable that
very javascript-based
client-server interaction. For those who need to
talk to servers from
clients (either because they can't or don't want
to involve a server to
proxy the communications for them), we don't
want them to go back to Java
and ActiveX, do we? :-) And while we may wish
everyone would use Flex, it's
just not likely. Many will, for the much larger
problem space it solves, but
for the average web developer, it's not really
as simple as dropping in some
AJAX API calls.
If Google (or other vendors) want to create a
way for people to connect, and
they want to make it work regardless of what web
app server platform people
use (and as well for those who have no server),
and they provide an
Ajax-based API to what (I suppose are otherwise
REST-based) services, that's
seems to be just being smart, widening the pool
of possible users.
Look at it another way (for us CFers), they
(like Amazon, Ebay, and others)
could instead just document calling from Java,
ASP.NET, and PHP. They tend
to not go that one step further to include CF.
At least by their offering a
platform-agnostic solution that doesn't require
any server-side processing,
they've helped more than just those who have no
server to make calls from.
Just some thoughts. I'm not fanatical about all
this, and I may well myself
be missing a point. But since this is the ACFUG
"discussion" list, that
comment seemed one worth discussing. :-)
/charlie
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Forrest C.
Gilmore
Sent: Thursday, February 07, 2008 5:30 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] JVM version and
ColdFusion
Thanks, Charlie. Your comments were very
helpful!
I have been hoping that this AJAX thing would
just go away, as it seems to
be to be a step backwards, but it looks like it
will be around a while
longer!
Forrest C. Gilmore
========================
Charlie Arehart wrote:
Forrest, I realize you've perhaps
abandoned the effort, but I'll throw
out some clarification if it's useful,
first about the JRE/CFX issue,
then about calling the google search
APIs.
<snip>
-------------------------------------------------------------
Annual Sponsor FigLeaf Software -
http://www.figleaf.com
To unsubscribe from this list, manage your
profile @
http://www.acfug.org?fa=login.edituserform
For more info, see
http://www.acfug.org/mailinglists
Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor - Figleaf Software
To unsubscribe from this list, manage your
profile @
http://www.acfug.org?fa=login.edituserform
For more info, see
http://www.acfug.org/mailinglists
Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor FigLeaf Software - http://www.figleaf.com
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor FigLeaf Software - http://www.figleaf.com
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
